CVE-2026-27855

EUVD-2026-16563

27.03.2026, 09:16

Dovecot OTP authentication is vulnerable to replay attack under specific conditions. If auth cache is enabled, and username is altered in passdb, then OTP credentials can be cached so that same OTP reply is valid. An attacker able to observe an OTP exchange is able to log in as the user. If authentication happens over unsecure connection, switch to SCRAM protocol. Alternatively ensure the communcations are secured, and if possible switch to OAUTH2 or SCRAM. No publicly available exploits are known.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.8 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Affected Products (NVD)

Vendor	Product	Version
dovecot	dovecot	𝑥 < 2.4.3
open-xchange	dovecot	𝑥 ≤ 2.3.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

dovecot

bookworm	vulnerable
bookworm (security)	1:2.3.19.1+dfsg1-2.1+deb12u4 fixed
bullseye	vulnerable
bullseye (security)	1:2.3.13+dfsg1-2+deb11u3 fixed
forky	1:2.4.3+dfsg1-2 fixed
sid	1:2.4.3+dfsg1-2 fixed
trixie	vulnerable
trixie (security)	1:2.4.1+dfsg1-6+deb13u4 fixed

Ubuntu Releases

Ubuntu Product

Codename

dovecot

bionic	needed
focal	needed
jammy	Fixed 1:2.3.16+dfsg1-3ubuntu2.7 released
noble	Fixed 1:2.3.21+dfsg1-2ubuntu6.3 released
questing	Fixed 1:2.4.1+dfsg1-5ubuntu4.1 released
resolute	not-affected
trusty	needed
xenial	needed

openSUSE / SLES Releases

openSUSE Product

Release

dovecot22

suse enterprise server 12 SP3	2.2.31-19.32.1 fixed
suse enterprise server 12 SP5	2.2.31-19.32.1 fixed

dovecot22-backend-mysql

suse enterprise server 12 SP3	2.2.31-19.32.1 fixed
suse enterprise server 12 SP5	2.2.31-19.32.1 fixed

dovecot22-backend-pgsql

suse enterprise server 12 SP3	2.2.31-19.32.1 fixed
suse enterprise server 12 SP5	2.2.31-19.32.1 fixed

dovecot22-backend-sqlite

suse enterprise server 12 SP3	2.2.31-19.32.1 fixed
suse enterprise server 12 SP5	2.2.31-19.32.1 fixed

dovecot22-devel

suse enterprise server 12 SP5

2.2.31-19.32.1

fixed

Common Weakness Enumeration

CWE-294 - Authentication Bypass by Capture-replay
A capture-replay flaw exists when the design of the software makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

Vulnerability Media Exposure

[GERMAN] Dovecot: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in Dovecot ausnutzen, um SQL-Injection-Angriffe durchzuführen, die Authentifizierung zu umgehen, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand herbeizuführen.
Published: 2026-03-26T23:00:00+00:00

References

https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json